vCenter login fails with "Invalid Credential" when "Do not use Kerberos preauthentication" flag is enabled for active directory user
search cancel

vCenter login fails with "Invalid Credential" when "Do not use Kerberos preauthentication" flag is enabled for active directory user

book

Article ID: 316507

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • Web client login to vCenter fails with "Invalid Credential".
  • In the websso.log, you see entries similar to:

[2019-05-10T12:28:00.720+12:00 tomcat-http--37 domain.local fa32f63f-7e22-434d-9bf3-8700c526a4ee ERROR com.vmware.identity.samlservice.impl.CasIdmAccessor] Caught exception.
com.vmware.identity.idm.IDMLoginException: Native platform error [code: -1073741809][null][null]
        at com.vmware.identity.idm.server.ServerUtils.getRemoteException(ServerUtils.java:124) ~[vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:9757) ~[vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.client.CasIdmClient.authenticate(CasIdmClient.java:1263) ~[vmware-identity-idm-client-7.0.0.jar:?]
        at com.vmware.identity.samlservice.impl.CasIdmAccessor.authenticate(CasIdmAccessor.java:470) [websso-7.0.0.jar:?]
        at com.vmware.identity.samlservice.impl.AuthnRequestStatePasswordAuthenticationFilter.authenticate(AuthnRequestStatePasswordAuthenticationFilter.java
:95) [websso-7.0.0.jar:?]
        at com.vmware.identity.samlservice.impl.AuthnRequestStatePasswordAuthenticationFilter.authenticate(AuthnRequestStatePasswordAuthenticationFilter.java:45) [websso-7.0.0.jar:?]
        at com.vmware.identity.samlservice.impl.AuthnRequestStateCookieWrapper.authenticate(AuthnRequestStateCookieWrapper.java:123) [websso-7.0.0.jar:?]
        at com.vmware.identity.samlservice.impl.AuthnRequestStateCookieWrapper.authenticate(AuthnRequestStateCookieWrapper.java:43) [websso-7.0.0.jar:?]
        at com.vmware.identity.samlservice.AuthnRequestState.authenticate(AuthnRequestState.java:463) [websso-7.0.0.jar:?]
        at com.vmware.identity.BaseSsoController.processSsoRequest(BaseSsoController.java:89) [websso-7.0.0.jar:?]
        at com.vmware.identity.SsoController.sso(SsoController.java:100) [websso-7.0.0.jar:?]
        at sun.reflect.GeneratedMethodAccessor169.invoke(Unknown Source) ~[?:?]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_202]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_202]

[2019-05-10T12:28:00.730+12:00 tomcat-http--37 domain.local             fa32f63f-7e22-434d-9bf3-8700c526a4ee INFO  auditlogger] {"user":"[email protected]","client":"xx.xx.xx.xx","timestamp":"05/10/2019 12:28:00 NZST","description":"User [email protected]@<ip addr> failed to log in with response code 401","ev
entSeverity":"INFO","type":"com.vmware.sso.LoginFailure"}
[2019-05-10T12:28:00.730+12:00 tomcat-http--37 domain.local             fa32f63f-7e22-434d-9bf3-8700c526a4ee ERROR com.vmware.identity.samlservice.AuthnRequestState] Caught Saml Service Exception from authenticate com.vmware.identity.samlservice.SamlServiceException
[2019-05-10T12:28:00.730+12:00 tomcat-http--37 domain.local             fa32f63f-7e22-434d-9bf3-8700c526a4ee INFO  com.vmware.identity.samlservice.impl.SAMLAuthnResponseSender] Responded with ERROR 401 message Invalid credentials
[2019-05-10T12:28:00.730+12:00 tomcat-http--37 domain.local             fa32f63f-7e22-434d-9bf3-8700c526a4ee INFO  com.vmware.identity.BaseSsoController] End processing SP-Initiated SSO response. Session was created.
[2019-05-10T12:28:19.959+12:00 tomcat-http--18 domain.local             5510ee91-12ab-4d0b-a541-dc5045c7420c INFO  com.vmware.identity.SsoController] Welcome to SP-initiated AuthnRequest handler! The client locale is en_GB, tenant is domain.local
[2019-05-10T12:28:19.959+12:00 tomcat-http--18 domain.local             5510ee91-12ab-4d0b-a541-dc5045c7420c INFO  com.vmware.identity.SsoController] Request URL is https://v-vcs-psc.vmware.com/websso/SAML2/SSO/domain.local
[2019-05-10T12:28:20.005+12:00 tomcat-http--18 domain.local             3877ddc2-42fe-4c04-a7b3-ae9bdd2f4f90 INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authn request proxyCount= null set isProxying=false
[2019-05-10T12:28:20.012+12:00 tomcat-http--18 domain.local             3877ddc2-42fe-4c04-a7b3-ae9bdd2f4f90 INFO  com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authentication request validation succeeded
[2019-05-10T12:28:20.018+12:00 tomcat-http--18 domain.local             3877ddc2-42fe-4c04-a7b3-ae9bdd2f4f90 INFO  com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider] Failed to retrieve default UPN for principal [email protected]
com.vmware.identity.idm.InvalidPrincipalException: Principal id [email protected] does not exist

  • "Do not use Kerberos preauthentication" flag is set to enabled in Active Directory.
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Environment

VMware vCenter Server 6.5.x
VMware vCenter Server 6.7.x

Resolution

To resolve this issue, uncheck  the option "Do not require Kerberos preauthentication" flag from Active Directory.

 


Powered by Wolken Software